[Proposal] Resolving the IP address contention issue

[nishanttotla]

What is the Issue?

When tasks are removed from SwarmKit, they're immediately removed from the object store, along with all the resources allocated to them (this includes IP addresses). But, actual task containers can take much longer to shut down, as they finish their shutdown procedures. This means that IP addresses might be held for longer. If new tasks get created in the meantime, they may be allocated the same IP address, leading to a conflict, or just a wonky state until old tasks finish their shutdown.

Existing Mitigations

There were two fixes that were recently added to alleviate this problem

1. Putting used IP addresses to the end of the queue, so that it's less likely that an already used IP address is allocated to a new task. For deployments with rapid creation of new tasks, or small subnets, this doesn't do much.
2. On the overlay network, if the same IP is used for some reason, then there is better handling so that the configuration in the kernel is consistent across nodes. This helps when the subnet is almost exhausted, but hides the fact that such a thing is happening. This might make it harder to debug the network if issues do arise.

While these mitigations are reasonable, they don't fix the root cause, and don't guarantee that the issue will not come up.

Long Term Fix

The long term fix involves not freeing up resources immediately when the task gets removed. This is a rough draft of the fix, which might evolve as it becomes clearer:

When a task is removed,

1. Update desired state for the task to REMOVED (this is a new task status), instead of removing it from the object store
2. Dispatcher tells the agent that desired state has been updated to removed, and the agent is responsible for going through task shutdown
3. The task reaper only removes the task when desired state is REMOVED and actual state > RUNNING (the task reaper is the only place where a task should be removed)

We may or may not revert the mitigations once the long term fix is in, but we should test without the mitigations. Additionally, we will need to decide how the API deals with REMOVED tasks (whether they are returned by default or not). But we can get to these questions later.

[anshulpundir]

Spoke with @nishanttotla about this offline, but capturing here too: we should look at the different states available and see how does it all works together with the new proposed state of REMOVED. Maybe there is opportunity for consolidation of behavior, or maybe this can be named something more generic like CLEANUP, which is an indication to the task reaper to clean this task up.

Also:

Dispatcher tells the agent that desired state has been updated to removed

Does the dispatcher tell the agent or is this done indirectly through a watch ?

[nishanttotla]

Based on #2408 (comment), I'm also wondering if we can somehow utilize the ORPHANED state to free up resources, instead of defining a new state like @anshulpundir pointed out above.

cc @aaronlehmann

[anshulpundir]

Maybe this could work. We could potentially rename ORPHANED to something more generic e.g. CLEANUP and use it for all the cases where a cleanup is required.

BTW, when nodes are removed, why are they not kept around as a part of the history ? I'm trying to understand swarmkit's history policy. @nishanttotla @aaronlehmann

[aaronlehmann]

Aside from some corner cases like deleting a node, we don't remove tasks before they shut down. The current general flow is:

• Manager sets the desired state to "shutdown"
• Worker shuts down the task
• The actual state gets reported as "shutdown"
• The manager frees resources such as IP addresses associated with the task
• Depending on the task retention policy, the task object may be deleted in the object store.

The "orphaned" state only comes into play when the node is unresponsive, and doesn't report that the task has shut down. To avoid holding onto the resources for ever, they get "timed out", I think after 24 hours.

I vaguely remember hearing about a race on the worker side, where it would report that the task had shut down before it truly freed the network resources associated with it. It had something to do with libnetwork doing this resource deallocation asynchronously. So that may be the real source of the problem. I don't think we need any additional states to make the resource deallocation robust. We just need to make sure that tasks are not deleted prematurely, and that resources are not still in use on the worker side when the worker reports that a task has shut down.

[aaronlehmann]

Another source of problems could be scale-down. We delete tasks immediately in this case. That was done because otherwise the no-longer-alive tasks would clutter the docker service ps output indefinitely. It might be better to mark those tasks as scaled-down in some way, and have the docker service ps command ignore them.

[anshulpundir]

Clarified the use-case with @aluzzardi just now. There's two, both for replicated services: 1. service delete, and 2. scale-down for replicated services.

1. Service deletes: I see why we delete tasks right away in this case: if we mark the tasks shutdown, there is no way for the reaper to clean these up. So, they are directly removed. Although I am not sure how adding a new state would help here.

2. Scale down, @aaronlehmann explanation above. I agree with the proposal: decluttering docker service ps output is not a strong enough motivation to design the system in this way and it should be handled another way, likely by letting tasks shutdown before cleanup.

@nishanttotla

[anshulpundir]

Possible solution for service deletes: we delete service object, and set the desired state for its task to shutdown. Then, when the current state changes to shutdown, we mark it orphaned (since the service is already gone).

For scale down, we also set the desired state to shutdown. TBD on if/how to handle docker ps output.

[aaronlehmann]

Overall that sounds good to me. I'm not sure about marking the tasks orphaned though. Orphaned is used to override the current state when it doesn't update in time. If it does update to shutdown, why do you need to mark it orphaned?

[anshulpundir]

If it does update to shutdown, why do you need to mark it orphaned?

In case of service delete, my understanding is that otherwise these tasks would never be deleted since the task reaper can only look at existing services. Even for the scale down case, the task reaper will not clean up the slot which has been scaled down. Please correct me if I am wrong. @aaronlehmann

[aaronlehmann]

I don't think setting a service task to orphaned will cause it to get deleted either. The task reaper would need to deal with this case where the service doesn't exist anymore.

…

If it does update to shutdown, why do you need to mark it orphaned? In case of service delete, my understanding is that otherwise these tasks would never be deleted since the task reaper can only look at existing services. Even for the scale down case, the task reaper will not clean up the slot which has been scaled down. @aaronlehmann — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[anshulpundir]

The task reaper would need to deal with this case where the service doesn't exist anymore.

Completely agree. This would be the clean way of doing it. Setting the task to orphaned in this case is hacky.

However, I see that task reaper listens for task update events. So, when a task is set to orphaned, I believe it should be cleaned up the task reaper.